Ouath scope and state lost in redirect

mdaguete · September 19, 2016, 6:23am

Hello,

When I init the oauth flow I’n sending the following request:

curl -i http://tyk-gateway:8080/chaosauth/oauth/authorize/?response_type=code&scope=email address&client_id=cdaee49d104f42304d677c78e25ab61e&scope=email address&state=xxxxxxx&redirect_uri=http://test_api/test

AS you can see I’m sending scope, and state. In the response, state and scope are missing:

Location: http://127.0.0.1:9001/oauth/authorize?client_id=cdaee49d104f42304d677c78e25ab61e&redirect_uri=http://test_api/test&response_type=code

Thanks. Regards.

mdaguete · September 20, 2016, 3:49pm

@James Is this a bug in oauth request flow ?

James · September 21, 2016, 7:35am

Hi

Tyk does not handle scopes when it hands back the redirect URL, it’s just the way the Tyk OAuth server works.
I’ve passed this on to the product team, they will look to see if there’s something that can be done about it in future.

mdaguete · September 21, 2016, 9:20am

Thanks @James, the state is a must, with it you can avoid some security issues, as the client can verify that the callback it’s from its original request.

Regards.

mtwomey · July 13, 2017, 2:29am

+1 on this, would like both scope and state.

richardolsson · June 17, 2018, 9:31am

Any updates on this, @James? I’m surprised to learn that scope and state are not supported. I wanted to use scope today but couldn’t understand what happened to it until I realized Tyk was stripping it while redirecting.

James · July 2, 2018, 3:48pm

Hi @richardolsson - I’ve not seen a change on this. @matiasb may know?

richardolsson · July 6, 2018, 2:07pm

It would be great to get this fixed. The state param is intended as a security feature of OAuth, and the scope parameter is very useful if you want to implement things like two-factor authentication or scoped/limited access tokens.

Since both are really just parameters passed from client app to the login page, and require no explicit support in Tyk, I see no reason why Tyk would strip them out like it does currently.

seungwoo_choi · July 9, 2019, 9:57pm

Is this still an issue? Just curious because it doesn’t seem like it has been resolved.

Yaara · July 15, 2019, 10:37am

About scopes - we currently support scopes in JWT and OIDC auth Mapping JWT scopes to policies · Issue #1834 · TykTechnologies/tyk · GitHub (no UI just yet)
About state - looks like it’s in use for oidc per oidc standard. Will check that for you as well.

Yaara · July 15, 2019, 10:39am

state is supported.
About scopes - can you please explain why it doesn’t require explicit support in Tyk?
Thanks

*Update: sorry, you were right. It’s only for oidc flow. Will check that.

Yaara · July 15, 2019, 7:45pm

@seungwoo_choi and @richardolsson

@richardolsson because of your question about just retuerning state and scope, I looked at the code, not just our docs and looks like we can support simple state and scope by returning the output we get when using the osin library ( Golang OAuth2 server library).

github.com

TykTechnologies/tyk/blob/8146c5d8b9447a0ab08e6502dfc975b78bfd66f2/vendor/github.com/lonelycode/osin/authorize.go#L160


      
          }
          
          
func (s *Server) handleCodeRequest(w *Response, r *http.Request) *AuthorizeRequest {
          	// create the authorization request
          	unescapedUri, err := url.QueryUnescape(r.Form.Get("redirect_uri"))
          	if err != nil {
          		unescapedUri = ""
          	}
          	ret := &AuthorizeRequest{
          		Type:        CODE,
          		State:       r.Form.Get("state"),
          		Scope:       r.Form.Get("scope"),
          		RedirectUri: unescapedUri,
          		Authorized:  false,
          		Expiration:  s.Config.AuthorizationExpiration,
          		HttpRequest: r,
          	}
          
          
	// must have a valid client
          	ret.Client, err = w.Storage.GetClient(r.Form.Get("client_id"))
          	if err != nil {

github.com

TykTechnologies/tyk/blob/8146c5d8b9447a0ab08e6502dfc975b78bfd66f2/vendor/github.com/lonelycode/osin/authorize.go#L268


      
          	if ar.Authorized {
          		if ar.Type == TOKEN {
          			w.SetRedirectFragment(true)
          
          
			// generate token directly
          			ret := &AccessRequest{
          				Type:            IMPLICIT,
          				Code:            "",
          				Client:          ar.Client,
          				RedirectUri:     ar.RedirectUri,
          				Scope:           ar.Scope,
          				GenerateRefresh: false, // per the RFC, should NOT generate a refresh token in this case
          				Authorized:      true,
          				Expiration:      ar.Expiration,
          				UserData:        ar.UserData,
          			}
          
          
			s.FinishAccessRequest(w, r, ret)
          			if ar.State != "" && w.InternalError == nil {
          				w.Output["state"] = ar.State
          			}

Looks like we swallow this response here tyk/oauth_manager.go at 6abbf8fd4b9c63f796f144f041db8c92eb236c89 · TykTechnologies/tyk · GitHub

I’ll check with the dev team and let you know